[AusNOG] "stateless TCP" for DNS

Mark Andrews marka at isc.org
Mon Nov 15 16:00:34 EST 2010 

In message <4CE083B6.4060702 at swin.edu.au>, Mattia Rossi writes:
> Hi Terry,
> 
> thanks for your feedback. I substantially agree with your view of the 
> issue. See further comments inline.
> 
> On 15/11/2010 03:12, Terry Manderson wrote:
> [..]
> >
> > The 2009 OARC DITL analysis showed that, at the time, 65% of resolvers used
>  a message size of 4096.
> > At a meeting at IETF in Beijing last week someone suggested that they see 7
> 0% of queries, I don't have any data to support this but it seems plausible t
> hat there is a growth in EDNS support. Further, in reading the paper "Improvi
> ng DNS performance ... in FreeBSD" I got stuck on the suggestion in the paper
>  which says "Most DNS servers are configured to allow only a maximum UDP pack
> et size of 512 bytes", I assume you mean RFC1035 section 2.3.4 "will not outp
> ut a packet longer than 512 bytes long". However we do have EDNS (RFC2671) wh
> ich is not mentioned in the paper. The current default for edns-udp-size in b
> ind is 4096. And surely as DNSSEC is deployed, requiring new(er) DNS server r
> eleases, server response size capability will be on an incline.

Given how many assumption in the introduction do not match with reality I'm
suprised this paper passed internal peer review.

* However, most most DNS servers are configured to allow only a maximum
UDP packet size of 512 Bytes.

[ Most DNS servers are configured honour UDP sizes in EDNS requests.
Even then those that reduce the size usually do it to the level of
preventing IP fragmentation.  Almost no servers reduce it to 512
bytes as there are very few firewalls that block outgoing large
replies. ]

* Using IPv6 and DNSSEC, the DNS response will always exceed 512 Bytes.

[ Which is demonstrably wrong. 

; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec br @a.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32934
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 9
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;br.				IN	A

;; AUTHORITY SECTION:
br.			172800	IN	NS	d.dns.br.
br.			172800	IN	NS	c.dns.br.
br.			172800	IN	NS	e.dns.br.
br.			172800	IN	NS	f.dns.br.
br.			172800	IN	NS	a.dns.br.
br.			172800	IN	NS	b.dns.br.
br.			86400	IN	DS	41674 5 1 EAA0978F38879DB70A53F9FF1ACF21D046A98B5C
br.			86400	IN	RRSIG	DS 8 1 86400 20101122000000 20101114230000 40288 . CpOUaSB9+S8lJftPqsXv1btpINwTvQYXSfh8pBdf0UPhyQdOo0kkrHBN s/dnxPGMxxsAFzKeviHkFsqE4OaQdQuRoA7SI5ErZBTyAwf0HSld8ttJ 4d4IEfSUnL0VIBCGEIcyMbD4yphtzH0Ja7MtuAeKz4OynyTSiWVsivwP Yvw=

;; ADDITIONAL SECTION:
a.dns.br.		172800	IN	A	200.160.0.10
a.dns.br.		172800	IN	AAAA	2001:12ff::10
b.dns.br.		172800	IN	A	200.189.40.10
c.dns.br.		172800	IN	A	200.192.232.10
d.dns.br.		172800	IN	A	200.219.154.10
e.dns.br.		172800	IN	A	200.229.248.10
e.dns.br.		172800	IN	AAAA	2001:12f8:1::10
f.dns.br.		172800	IN	A	200.219.159.10

;; Query time: 163 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Mon Nov 15 15:48:59 2010
;; MSG SIZE  rcvd: 478
]

* Firewalls and NAT boxes are known to drop DNS UDP packets which
are larger than 512 Bytes.

[ Which depends on the firewall configuration (newer defaults allow 4096
byte UDP response by default when talking EDNS) and whether you are talking
to the NAT (broken proxies often without TCP support) or through the NAT
(usually no issues).

Also if firewalls block responses bigger than 512 bytes was a issue it
would have turned up years ago as the non DNSSEC EDNS referral to the
COM and NET servers has been bigger the 512 bytes for a long time now.

; <<>> DiG 9.6.0-APPLE-P2 <<>> example.com +edns=0 @a.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44601
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 16
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com.			IN	A

;; AUTHORITY SECTION:
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	a.gtld-servers.net.
com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.

;; ADDITIONAL SECTION:
a.gtld-servers.net.	172800	IN	A	192.5.6.30
a.gtld-servers.net.	172800	IN	AAAA	2001:503:a83e::2:30
b.gtld-servers.net.	172800	IN	A	192.33.14.30
b.gtld-servers.net.	172800	IN	AAAA	2001:503:231d::2:30
c.gtld-servers.net.	172800	IN	A	192.26.92.30
d.gtld-servers.net.	172800	IN	A	192.31.80.30
e.gtld-servers.net.	172800	IN	A	192.12.94.30
f.gtld-servers.net.	172800	IN	A	192.35.51.30
g.gtld-servers.net.	172800	IN	A	192.42.93.30
h.gtld-servers.net.	172800	IN	A	192.54.112.30
i.gtld-servers.net.	172800	IN	A	192.43.172.30
j.gtld-servers.net.	172800	IN	A	192.48.79.30
k.gtld-servers.net.	172800	IN	A	192.52.178.30
l.gtld-servers.net.	172800	IN	A	192.41.162.30
m.gtld-servers.net.	172800	IN	A	192.55.83.30

;; Query time: 161 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Mon Nov 15 15:57:22 2010
;; MSG SIZE  rcvd: 528

]


Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the AusNOG mailing list